We have not identified any benign triggers associated with this signature. Could you provide a traffic sample of the questionable traffic?
You can upload your capture directly on Netpro. When you post an answer, you'll notice the "Add Attachments" link below the Post button.
We are seeing this as well. In our environment it's on a Unisys printer attached with an external HP Jetdirect server.
I have a log but cannot attach it here directly due to any information that is in it that may be confidential. I'd be happy to upload it directly via another avenue.
Cisco MUST do a better job of tuning their signatures. We implemented a Juniper IDP (inline and blocking) and I only rely on the Cisco IDSs for secondary / tertiary information b/c of this very reason. I spent about 1 full day chasing down the false positives on this one siganture. A hugh waste of my companies time and money and a another reminder that we made the right choice in implementing our Juniper IDP.
Contact me directly with any questions about our Juniper Intrusion Prevention and Detection appliance. It sits inline and filters our VPN, Internet and RAS segments coming into our network.
I have identified a trend between multiple traces that are triggering the 3334 signature. It appears that RPC traffic to Lexmark printers are triggering this signature and creating false positives. If this is the case on your network you will be able to see the Lexmark information later in the stream if you enable ip logging. Please let me know if you are seeing the same type of traffic.